Part 2

Summary

Inside the ZlpVault::maxDeposit function which is responsible for ensuring deposits don't exceed the vault's deposit cap, incorrectly uses totalAssets() for its calculation. Since totalAssets() includes tokens directly transferred to the vault (outside of the proper deposit flow), it could result to inflated total assets that could block legitimate deposits through the authorized MarketMakingEngine.

Vulnerability Details

\

The maxDeposit function assumes that all assets in the vault are deposited via the MarketMakingEngine. However, direct transfers bypass this assumption, allowing the deposit cap to be manipulated without interacting with theMarketMakingEngine.

The issue arises because totalAssetsCached is derived from totalAssets(),, which includes

Legitimate deposits made through the MME and Potential direct token transfers to the vault contranct.

Consider the following scenario

1. The vault has a depositCap of 1000 ETH

2. MarketMakingEngine plans to deposit 1000 ETH for legitimate operations

3. user or attacker accidentally or intentionally transfers 1000 ETH directly to the vault (not via deposit())
   4.totalAssets() now returns 1000 ETH
   5.maxDeposit() returns 0, preventing any legitimate deposits

4. MarketMakingEngine operations are blocked despite being the only authorized depositor

Impact

While this vulnerability does not directly result in loss of user funds, it creates significant operational risks by allowing an attacker to artificially block the MarketMakingEngine from performing legitimate deposits by manipulating the deposit cap through direct token transfers to the vault. This can effectively brick core protocol functionality and disrupt market operations.

Tools Used

Manual Review

Recommendations

A state variable that only increments when MarketMakingEngine calls deposit should be used instead of `totalAssets()`

```
maxAssets = depositCap > totalDepositedAssets ? depositCap - totalDepositedAssets : 0;
```